ebook img

Android Forensics PDF

379 Pages·2011·39.01 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Android Forensics

Android Forensics Investigation, Analysis, and Mobile Security for Google Android Andrew Hoog John McCash, Technical Editor AMSTERDAM(cid:1)BOSTON(cid:1)HEIDELBERG(cid:1)LONDON NEWYORK(cid:1)OXFORD(cid:1)PARIS(cid:1)SANDIEGO SANFRANCISCO(cid:1)SINGAPORE(cid:1)SYDNEY(cid:1)TOKYO SyngressisanimprintofElsevier AcquiringEditor:AngelinaWard DevelopmentEditor:HeatherScherer ProjectManager:DanielleS.Miller Designer:RussellPurdy SyngressisanimprintofElsevier 225WymanStreet,Waltham,MA02451,USA (cid:1)2011Elsevier,Inc.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageand retrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseek permission,furtherinformationaboutthePublisher’spermissionspoliciesandour arrangementswithorganizationssuchastheCopyrightClearanceCenterandtheCopyright LicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions. Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand experiencebroadenourunderstanding,changesinresearchmethodsorprofessionalpractices maybecomenecessary.Practitionersandresearchersmustalwaysrelyontheirown experienceandknowledgeinevaluatingandusinganyinformationormethodsdescribed herein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyand thesafetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors, assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterof productsliability,negligenceorotherwise,orfromanyuseoroperationofanymethods, products,instructions,orideascontainedinthematerialherein. LibraryofCongressCataloging-in-PublicationData Applicationsubmitted BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary. ISBN:978-1-59749-651-3 ForinformationonallSyngresspublicationsvisit ourwebsiteatwww.syngress.com PrintedintheUnitedStatesofAmerica 1112131415 10987654321 Dedication To my beautiful spousewho has endured my extended absenteeism as I wrote this book. She is my motivation, my friend, my partner, and the root of my happiness. This bookisdedicated toher. And to my wonderful daughters. You light up our lives and know more about Android forensics than any other 6-year-olds. May your lives be full of learning, success,and happiness. Acknowledgements I now understand that the phrase “It takes a village.” applies equally to writing a book asit does to raising children. As such, Iwish toacknowledge thevillage: (cid:129) My family (see Dedication). (cid:129) Lee Haas, for excellenteditingand attemptsto keep me on schedule (cid:129) Ted Eull, who coined to term “deHOOGification,” which provides an immense servicetoyou,thereader,astheideasbouncingaroundinmyheaddon’talways comeoutthatclearwhenIpersistthemtowords.Tedisalsoagreatfriendandall around swell guy. Many thanks to his better half for her patience in putting up with the long hours racked upby motivated geeks at a tech start-up. (cid:129) ChrisTriplett,fordivingheadfirstintoAndroidanddoinganamazingjobatit. Chris is also excellent at patching drywall and providing some comic relief by applying farm English todigital forensics. (cid:129) KatieStrzempka, forgenerallytaking careofthatotherbook(“iPhoneandiOS Forensics”). Please buythatone too,seriously. (cid:129) Myparents,StevieandAl,whosetmeonthecorrectpathfromthestartandwere always there to remind me if I swervedoff abit. (cid:129) ToHarmoneeandHadabogee,whosehelpwithourdaughters,dinner,andother areasisimmensely appreciated. (cid:129) TothemenandwomenwhobravelyservethepublicinterestinLocal,State,and Federallawenforcementandothergovernment agencies.Weappreciateallthat you do toprotectand serveour communities and countries. (cid:129) To Google, for seeing the value in Android and creating a new paradigm of openness for mobile devices. (cid:129) ToApple,for providingthe opposite paradigm. (cid:129) And finally to the reader. I hope that you find this book useful and certainly do appreciateyour support. xiii Introduction TheAndroidmobileplatformhasquicklyrisenfromitsfirstphoneinOctober2008 to the most popular mobile operating system in the world by early 2011. The explosive growth of the platform has been a significant win for consumers with respect to competition and features. However, forensic analysts and security engi- neers have struggled as there is a lack of knowledge and supported tools for investigatingthesedevices.Thisbookseekstoaddressissuesnotonlybyproviding in-depth insights into Android hardware, software, and file systems but also by sharing techniques for the forensic acquisition and subsequent analysis of these devices.Forreaderswithlimitedforensicexperience,thisbookcreatesstep-by-step examplesthatusefree,opensourceutilitiessothereadercandirectlyparticipatein theexamples.AsthefreeAndroidsoftwaredevelopmentkitprovidesafullAndroid emulator,readers do notevenneed topossessan Android device. As Android devices grow in numbers, an increased awareness of the data they possesswillequallygrow.Unfortunately,muchofthatinterestwillcomefromcyber criminalorganizationswhorealizethatsuccessfulattacksagainsttheplatformwill yieldsignificantresultsasthedevicescontainenormousquantitiesofpersonaland businessinformation.Thesolutiontothisthreatrequiresadeepunderstandingofthe platform not only from core Android developers and manufacturers but also from appdevelopersandcorporatesecurityofficers.Moresecureappswillpreventlossof sensitiveinformationaswellasstrongpoliciesthatcanbeputinplacebyITsecurity managers. Although most of the discussed statistics about Android focus on smartphones andnowtablets,therearemanymoredevicesthatcurrentlyorinthenearfuturewill run Android. Some examples include vehicles, televisions, GPS, gaming devices, netbooks,andawidevarietyofotherconsumerdevices.Androidwillbepresentin an increasingly significant percentage of investigations for both forensic analysts andsecurityengineers.Finally,theappealofAndroidisnotspecifictoanyparticular country or region and as such will impact individuals, corporations, and agencies throughouttheworld. The following paragraphs contain a brief summary ofeach of the chapters. CHAPTER 1 ThischapterprovidesnotonlyahistoryoftheAndroidplatformbutalsodiscusses the AndroidOpenSource Project(AOSP),theinternationalization ofthe platform, the Android Market, a brief Linux tutorial, and a quick fb-non-chapter to Android forensics. It also provides a step-by-step tutorial for creating an Ubuntu-based virtual machine (VM), which will be used throughout the book in examples. The UbuntuVMisahighlyrecommendedcomponentofthisbookandcanalsobeused outside ofthe book for Androidforensiccases. xv xvi Introduction CHAPTER 2 In this chapter, a wide array of Android-supported hardware and device types is covered. Although the hardware compatibility is great for manufacturers, wireless providers, and ultimately consumers, this diversity poses challenges for forensic analysts and security engineers. Understanding the hardware components, device types, and boot process for Android will aid in your overall understanding of Android andassist in both forensicand security investigations. CHAPTER 3 ThischaptercoversthevariousAndroidreleases,theAndroidsoftwaredevelopment kit (SDK), the Davlik virtual machine, key components of Android security, and severalotherconceptscoretoAndroidforensicssuchastheAndroiddebugbridge (adb)andtheUSBdebuggingsetting.Step-by-stepexamplesincludeinstallingthe SDKon Linux, OS X, and Windows as well as creating an Android virtual device that can be used totestforensictechniques. CHAPTER 4 Thischaptercoverstheinformationneededtounderstandhowdataarestoredonan Android device. This includes reviewing the methods in which data are stored (sharedpreferences,files,SQLite,andnetwork)aswellasthetypesofmemoryused inanAndroiddevicesuchasRAMandtheallimportantNANDflash.Thevarious file systems the reader might encounter in an Android device are also covered in great detailincludingtheYAFFS2, EXT,FAT32/FAT16,andavarietyoflow-level file systems. CHAPTER 5 This chapter covers the security of Android devices, data, and apps. A review not only of how data can be exfiltrated from an Android device is covered but also of how an Android device can be used as an active attack vector. After discussing severaloverarchingsecurityconcepts,thischapterprovidesspecificadviceforthree primary audiences: individuals, corporate security, and app developers. As the growthofAndroidcontinues,issuesofdatasecuritywillbeincreasinglyimportant andthischapterprovidesathoroughandpracticalfb-non-chaptertothisimportant topic. Introduction xvii CHAPTER 6 Thischaptercoversspecifictechniquesthatareusefulintheforensicacquisitionof Android devices. After clarifying the different types of acquisitions and providing procedures for handling an Android device, seven different strategies for circum- venting a pass code are discussed. Next, techniques and a specific script for acquiringan SD card and, ifpresent, the Embedded MultiMediaCard (eMMC)are covered. Logical acquisition techniques are then covered including ones built into AndroidandtheSDK,asolutionfreetolawenforcementandgovernmentagencies called AFLogical, and finally a review of six commercial forensic software pack- ages. Finally, techniques for acquiring a physical image of the NAND flash are described in detail including six strategies for gaining root privileges and the AFPhysical technique developedbyviaForensics. CHAPTER 7 In this final chapter, strategies and specific utilities are provided, which enable a forensic analyst or security engineer to analyze an acquired Android device. Although many of the techniques used in traditional forensic investigations are applicable in Android forensics analysis, the new file system and the underlying hardware characteristics require new techniques. Without these new techniques, little content and value can be extracted from an Android physical acquisition. Beyond providing the background and actual utilities, an overview of Android’s directorystructureaswellasanin-depthanalysisof11importantapplicationsthat provide significant data about the device are given. Armed with this knowledge, a forensic analyst or security engineer can investigate any Android device they encounter. WEBSITE For companion material including code, programs and updates please visit: http:// viaforensics.com/education/android-forensics-mobile-security-book/ About the Author AndrewHoogisacomputerscientist,certifiedforensicanalyst(GCFAandCCE), computer and mobile forensics researcher, former adjunct professor (assembly language),andcofounderofviaForensics,aninnovativedigitalforensicandsecurity firm.Hedivideshisenergiesbetweeninvestigations,forensicsoftwaredevelopment, andresearchindigitalforensicsandsecurity.Healsohastwopatentspendinginthe areas of forensics and data recovery. He lives in Oak Park, IL, where he enjoys spending time with his family, traveling, great wine, science fiction, and tinkering with geeky gadgets. About the Technical Editor John McCash (CompTIA Sec+, GCIH, GAWN, GCFA, EnCE, GREM, SANS LethalForensicator) isa23-yearITveteran.He hasspecializedinSecurityforthe last15years,andForensicsforthelast4years.McCashhasextensiveexperiencein digitalforensics,security/system/network administration,andincident response on diverseplatformsinveryheterogeneousenvironments.HeobtainedhisBSandMS in CS at Bradley University in 1988. Currently John works for a major telecom- munications equipment provider, and is a semiregular contributor to the SANS ForensicBlog. xix About the Author AndrewHoogisacomputerscientist,certifiedforensicanalyst(GCFAandCCE), computer and mobile forensics researcher, former adjunct professor (assembly language),andcofounderofviaForensics,aninnovativedigitalforensicandsecurity firm.Hedivideshisenergiesbetweeninvestigations,forensicsoftwaredevelopment, andresearchindigitalforensicsandsecurity.Healsohastwopatentspendinginthe areas of forensics and data recovery. He lives in Oak Park, IL, where he enjoys spending time with his family, traveling, great wine, science fiction, and tinkering with geeky gadgets. About the Technical Editor John McCash (CompTIA Sec+, GCIH, GAWN, GCFA, EnCE, GREM, SANS LethalForensicator) isa23-yearITveteran.He hasspecializedinSecurityforthe last15years,andForensicsforthelast4years.McCashhasextensiveexperiencein digitalforensics,security/system/network administration,andincident response on diverseplatformsinveryheterogeneousenvironments.HeobtainedhisBSandMS in CS at Bradley University in 1988. Currently John works for a major telecom- munications equipment provider, and is a semiregular contributor to the SANS ForensicBlog. xix

Description:
Android Forensics. Investigation, Analysis, and Mobile Security for. Google Android. Andrew Hoog. John McCash, Technical Editor. AMSTERDAM
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.